Twelve years after passing novel privacy legislation, Massachusetts is seeking to join several other states in shoring up its data security regulations.
The Massachusetts Information and Privacy Security Act would hold businesses to greater accountability for mishandling users’ personal data, impose fines for preventable security breaches and give users greater rights to action should their data be used in violation of the bill’s rules.
According to the National Law Review, the tighter regulations will apply to firms that earn more than $25 million in gross global revenue, process more than 100,000 individuals’ personal data, or collect this data from at least 10,000 individuals and sell it to outside parties. The firms would be required to register with the state.
The original law, adopted in November 2009, required businesses to implement systems and protocols that would ensure the security of the personal and private information they processed. However, the law does not specify the scope of these systems and responsibilities to the extent the current bill does.
Chris Hart, a partner at Boston law firm Foley Hoag with a specialty in data and privacy security, said the bill “would be the most comprehensive privacy law in the U.S.” if it passes.
Hart, who recently briefed the Advanced Cyber Security Center on the particulars of the bill, said its main goal is to expand individuals’ “affirmative rights” regarding the security of their own private data. Most data security laws in the country only obligate firms to notify customers and other relevant parties in the event of data breaches.
MIPSA would broaden the definition of personal data, which Hart said would allow individuals the rights to notice, deletion and opting out of the sale of information.
“It’s not entirely clear who’s responsible for what in the data-sharing chain,” Hart said, but he believes MIPSA’s passage would clarify this issue and help individuals exercise control over what businesses and other entities do with their private information.
Although the Senate bill, which has 12 co-sponsoring legislators, is still in the early stages of deliberation, local lawmakers have expressed support protecting citizens’ data.
“It used to be that ultra-profitable corporations would make money by selling great products, these days they make money by selling us,” state Sen. Paul Feeney, D-Foxboro, said in a statement. “As it currently stands, our virtual data trail is up for grabs by big tech companies, data brokers and bad actors that sell our personalized internet data for a profit. As we continue to propel further into the digital age, with online activity becoming an essential part of our lives, we have to take steps to ensure our personal data remains safe and secure, and that our Massachusetts statutes reflect that.”
Members of the business community, like Bluestone Bank President Meg McIsaac, are confident the bill will accomplish its goal of protecting customers and believes that banks in particular are already leaders in data security.
“Banks historically have done a great job and all that they can, in terms of resource allocation, to protect customers’ personal information, and our industry has been subject to strict information security for more than 20 years,” she said.
MIPSA has been extensively amended since its first draft. Originally, the bill provided for a new state agency that would focus entirely on enforcement. According to the National Law Review, the amended draft “also narrowed the number of affected businesses, eliminated language creating duties of care, confidentiality, and loyalty, expanded the categories of exempted businesses, and narrowed the definition of biometric data.”
Despite the removal of some of the more heavy-handed provisions, MIPSA would still make Massachusetts a national leader in cybersecurity and citizens’ rights to action. Under the new law, residents would have greater rights of access, disclosure and deletion of certain data. In the event of a breach, victims could be entitled to up to $500 per individual per violation in compensation.
Banking is the industry perhaps most concerned with data security and the legislation that regulates it, said Kathleen Murphy, president and CEO of the Massachusetts Bankers Association, who also believes they’re subject to some of the most stringent privacy and security laws in the country.
“It’s all about maintaining confidence in the banking system, and individuals feel their information is being maintained in a safe and secure way,” she said.
The bill emerged from committee on Feb. 14 and was referred to the Senate Ways and Means committee.